fix(p1-batch): dev-portal, profile counters, consent name, puzzle liveness gate, login consistency, a11y, card heights, verify CSP#188
Merged
Conversation
…le liveness gate, login consistency, a11y, card heights, verify BlazeFace CSP Pre-demo P1 fixes (USER_FINDINGS_2026-06-02): - #15 verify: BlazeFace modelUrl → storage.googleapis mirror (tfhub.dev was CSP-blocked) + favicon link. - #6b: hide the dead Auth-Sessions nav entry (auth_sessions has no production writer). - #3 developer-portal: real SDK snippet (FivucsasAuth.loginRedirect/handleRedirectCallback via verify.fivucsas.com/fivucsas-auth.js), guide link → docs.fivucsas.com, removed dead disabled View-Secret button + its unused state/imports. - #E1: Recent-Logins count now includes MFA_COMPLETE (was USER_LOGIN-only → read 0 for MFA logins). - #E2: enrolled-methods denominator uses METHOD_CONFIGS.length (was hardcoded 9). - #E3: biometric-consent list shows tenant NAME (model field) + excludes the self-tenant (already shown by the toggle). Hardened the hook to pin consents to an array (malformed body no longer crashes the page). - #14 puzzles: relax the fail-closed passive-liveness gate to hard-reject only on an explicit not-live verdict (null verdict now soft-passes — the active gesture proves liveness). Fixes 'blink completes then resets forever'. - #1: removed the password-only 'Change' button so ALL first factors are uniform (matches verify.fivucsas; PR #145 regressed it). #1a: added a hidden username input on the identifier-first password forms (LoginPage + PasswordStep) for a11y + password managers. - #11: enrollment cards use a fixed 2-line description height → uniform card sizes. tsc clean; full vitest 1037 passed + 0 errors; production build OK. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pre-demo P1 batch from
USER_FINDINGS_2026-06-02.md. No new i18n keys.tscclean · full vitest 1037 passed / 0 errors · production build OK.modelUrl→storage.googleapis.com/learnjs-data/face_detector(tfhub.dev was CSP-blocked) + favicon<link>auth_sessionshas no production writer; route kept)new FivucsasAuth().loginRedirect()+handleRedirectCallback()viaverify.fivucsas.com/fivucsas-auth.js), guide link →docs.fivucsas.com, removed the permanently-disabled View-Secret button + its unused state/importsMFA_COMPLETEtoo (wasUSER_LOGIN-only → read 0 for MFA logins)METHOD_CONFIGS.length(was hardcoded9)consentsto an array (malformed body no longer crashes the page)autocomplete="username"input on identifier-first password forms (a11y / password managers)Notes / follow-ups: (a) adding PASSKEY + APPROVE_LOGIN enrollment cards (the other half of #11) is a feature with unclear APPROVE_LOGIN enroll semantics — intentionally not in this PR. (b) Stale PR #90 overlaps
FacePuzzle.tsx/verify-app/index.html— recommend closing it as superseded. (c) #6 tenant-switcher role-label fix is api PR #194; the optional post-switch toast is a follow-up.🤖 Generated with Claude Code